I noticed in Kilo there’s a validation check in the console web socket proxies to ensure the hostnames from the Origin and Host headers match. This was as a result of CVE-2015-0259 (https://bugs.launchpad.net/nova/+bug/1409142). Effectively it disabled cross-site web socket connections.
This is OK for Horizon, but we also run our own custom UI that’s on a different hostname from the console proxy servers. Therefore we need to have the cross-site connections work. I have opened https://bugs.launchpad.net/nova/+bug/1474079 for this. My thought is to add a new nova configuration parameter which would list additional allowed Origin hosts for the proxy servers. And add those to the check at https://github.com/openstack/nova/blob/master/nova/console/websocketproxy.py#L116 I will probably go ahead and implement that for us internally, but interested in opinions on this approach for upstream Nova purposes. I’m happy to do the work, but want to make sure this is generally in line with what the community would accept first. Thanks, Mike
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
